Hi,
I am trying to configure a simple JSSE Client/Server with mutual
authentication(using PKCS11 keystore/truststore on SCA6000 card). But I seem
to be having trouble configuring a trust store for this.
What I have done is generated a Server CA, client CA, server certificate
signed with my "Server CA", and a client certificate signed with my "Client
CA".
I then added the server cert and private key to the server side keystore,
and similarly clients pair on client side.. Now I wish to add the "Server
CA" to client trust store and vice-versa..
If I try to insert the CA's using keytool I get an error saying
that:"trusted certificates may only be set by token initialization
application" which is fair enough, considering normal applications cannot
set CKA_TRUSTED=true..
So I resorted to use certutil to insert the certificate into the "Sun
Metaslot" (after creating secmod.db) thus:
# certutil -A -d . -n "serverCA" -a -t "CT,," -i serverCA.pem -h "Sun
Metaslot"
Enter Password or Pin for "Sun Metaslot":
I can list i using certutil:
#certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot: serverCA CT,,
Sun Metaslot: client u,u,u
And also with pktool:
# pktool list token=Fipsks objtype=both
Enter pin for Fipsks :
Found 1 keys.
Key #1 - RSA private key: client
Found 2 certificates.
1. (X.509 certificate)
Label: client
ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: C=IN, ST=clientst, O=clientorg, CN=client
Issuer: C=IN, ST=Some-clientst, O=clientorg, CN=clientCA
Serial: 0x00
1. (X.509 certificate)
Label: serverCA
ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: C=IN, ST=serverst, O=serverorg, CN=serverCA
Issuer: C=IN, ST=serverst, O=serverorg, CN=serverCA
Serial: 0x00
However the JSSE Client/server cannot access these CA certificates from the
trust store. keytool confirms that the inserted CA certs are not visible
from java:
# keytool -list -storetype pkcs11
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-SCA6000
Your keystore contains 1 entry
client, PrivateKeyEntry,
Certificate fingerprint (MD5):
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
<serverCA not visible here :( >
My question is: How do I add a trustedCertEntry to pkcs11
keystore/truststore ? I can do this quite easily with keytool for JKS
keystore, but I want to use pkcs11, for only then I can store Trusted CA's
on the card..
Any help is greatly appreciated as I cannot proceed without having the
truststore configured properly...
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/crypto-discuss/attachments/20090902/bec50256/attachment.html>
